Note: this report may be incomplete because the AI analysis reached the following limit(s): token.

# Malware Analysis Report

## Summary

| Field | Detail |
|-------|--------|
| Analysis ID | #AID=30# |
| File Name | 1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a |
| File Type | PE (DLL), x64 |
| Architecture | X64 |
| Size | 251904 bytes |
| Compiler | MSVC 2019 (v16.11.21) |
| Metadata | Claims to be "Microsoft® Active Directory Certificate Services Sample Policy Module" (CertPSam.dll) |
| Exports | DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, npmserver_options_manifest |
| Kesakode Verdict | PNGPlugLoader (confidence 0/100) – effectively no detection |
| Key Anomalies | ImportByHash, UnsignedMicrosoft, DynamicString, StackArrayInitialisationX64, WeirdDebugInfoType, SectionNameUnknown |

### Inferred Behavior
The DLL masquerades as a legitimate Microsoft certificate policy module but contains malicious functionality. It employs **API hashing** to dynamically resolve Internet (wininet) functions (`InternetOpenA`, `InternetOpenUrlA`, `InternetReadFile`, `InternetCloseHandle`) and `LoadLibraryA`. It constructs a URL string `http://www.royalsevres.com/javascript/activex_patch.hwp` and uses **AES/Rijndael** crypto routines to decrypt data. The code in `sub_1800086f0` (called from the exported `npmserver_options_manifest`) performs the Internet download, while other functions handle registration of COM categories and registry manipulation typical of a real certificate policy module. The downloader retrieves an encrypted payload from the C2 URL, likely decrypts it using AES, and executes it, allowing the attacker to load additional malware.

### Sub-files
- No carved or embedded sub-files; only standard PE sections and virtual files (TYPELIB, STR, VER, MANIF) which are normal for a COM DLL.

### IOCs
- **URL:** `http://www.royalsevres.com/javascript/activex_patch.hwp`
- **Domain:** `royalsevres.com`
- **File hash:** `1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a`
- **Internal name:** `CertPSam.dll`
- **Compilation timestamp:** 2024-10-28 16:32:55 (debug dates)
- **AES constants** present in data sections (Rijndael tables)

## Key Detections
1. **ImportByHash** – Resolves Internet APIs and LoadLibraryA via hashed names, evading static analysis.
2. **Malicious URL** – The C2 URL `http://www.royalsevres.com/javascript/activex_patch.hwp` is not a Microsoft domain and serves a suspicious "patch" file.
3. **UnsignedMicrosoft** – The PE claims to be a Microsoft binary but is unsigned (no Authenticode certificate).
4. **WeirdDebugInfoType** – Unusual debug information format suggesting tampering.
5. **SectionNameUnknown** – Section `_RDATA` is not a standard PE section name.
6. **AES cryptographic primitives** – Used to decrypt the payload fetched from the C2 server.
7. **Dynamic strings & stack array initialization** – Binary blobs on the stack likely encode configuration or decryption routines.
8. **Spaghetti code** – Numerous functions with high intra-jump counts, possibly obfuscation.
9. **Internet connectivity** – The DLL is capable of downloading external content, which is atypical for a certificate policy module.

## Counter Arguments
- The file does contain legitimate COM registration routines (`DllRegisterServer`, `DllUnregisterServer`) and uses real certificate policy interfaces (`ICertServerPolicy`, `ICertEncodeBitString`). A clean version of this sample policy module may exist.
- The Kesakode confidence score is 0/100, meaning no strong signature match was found.
- The presence of AES and Internet APIs could theoretically be part of a tampered but benign update mechanism, though highly unlikely given the domain.

## Evidence
- **API resolution:** Function `sub_180008440` (ea 30784) iterates the PEB to hash export names and resolve `InternetOpenA`, `InternetOpenUrlA`, `InternetReadFile`, `InternetCloseHandle`, and `LoadLibraryA` via hash constants (anomaly `ImportByHash` at eas 31520, 31620, 31630, 31643, 31656).
- **Download logic:** `sub_1800086f0` (ea 31472) calls the resolved Internet APIs to connect to a URL, download data into an allocated buffer, and append it to a parameter string.
- **Malicious URL:** String at ea 209192: `http://www.royalsevres.com/javascript/activex_patch.hwp` (score 106, tag URL).
- **Crypto:** Rijndael/AES constants detected: `Rijndael_Td0`, `Td1`, `Td2`, `Td3`, `rcon`, `S-box`, `Si-box` – used for decryption of the downloaded payload.
- **Unsigned:** Version info states "Microsoft Corporation" and "Windows (R) Win 7 DDK provider", but no digital certificate is present (anomaly `UnsignedMicrosoft`).

## Verdict
**Malicious** – High confidence (85%). The DLL is a trojanized version of a legitimate certificate policy sample, weaponized with a downloader that fetches an encrypted payload from a non-Microsoft domain. It evades detection by hashing API calls and uses AES to decrypt the second stage. The combination of suspicious network indicators, API obfuscation, and the presence of an embedded C2 URL strongly indicates malware.